Set up Copilot for security tasks and secure coding best practices - Github Copilot Tutorial

Here's the thing about GitHub Copilot. It's not just auto-complete on steroids. It's an AI pair programmer that understands context, explains code, and can be trained to think like a security engineer. This slide anchors what Copilot actually is before we wire it up for security work. Copilot is built on large language models trained on billions of lines of public code. It doesn't just pattern match, it understands intent, context, and coding conventions. For security professionals, this means Copilot can explain attack patterns, suggest defensive code, and help you think through threat models. Copilot lives where developers already work. Suggestions appear inline as you type. For security teams, this is critical. You're catching vulnerabilities at the moment of creation, not weeks later in a security review queue. language is where Copilot really becomes a security tool for you. You can ask it with your natural language to explain suspicious code, identify trust boundary violations, or refactor insecure patterns. Chat turns Copilot from helpful autocomplete into security analyst on demand. And I'll add that we can have Copilot speak to us the way that we prefer and that we most easily understand. Organizations need governance. Copilot Enterprise lets security teams set content exclusions, enforce policies across the org, and maintain audit trails for compliance. This is what makes CoPilot viable in regulated environments. For example, Fabrikam Financial runs CoPilot Enterprise with content exclusions for their proprietary trading algorithms. Their security team uses CoPilot Chat for threat modeling sessions, asking CoPilot to role-play as an attacker and find weaknesses in proposed designs. result, 40% faster threat model reviews, and more comprehensive coverage. GitHub Advanced Security is the sensor network that makes CoPilot smarter. Without GHAZ, CoPilot is guessing. With GHAZ, CoPilot has real vulnerability data, secret detection alerts, and CodeQL findings to inform its suggestions. This is where AI meets actual security tooling. Secret scanning automatically detects over 200 token patterns from major providers like AWS, Azure, GitHub, Stripe, and more. When a secret's detected, the provider is notified and can auto-revoke. This isn't just detection, it's automated incident response built into the commit workflow. Every pull request that touches dependencies gets a vulnerability check. Dependency review shows exactly which CVEs you're about to introduce, before the merge. This prevents the we shipped a log4j vulnerability scenario that haunted so many teams in 2021. CodeQL is GitHub's secret weapon. It treats code as data and lets you write queries that find vulnerability patterns across your entire codebase. Unlike regex-based scanners, CodeQL understands data flow. It can trace untrusted input from an HTTP request through business logic into a SQL query. Push protection is the hard stop. If a developer tries to push code containing a secret, the push is blocked. Not flagged, not warned, blocked. This is defense in depth at the commit level. Secrets never reach the repository history where they'd need rotation. For example, Contoso Health enabled push protection across all 200 repositories in a single afternoon. In the first month, they blocked 47 secrets that would have required emergency rotation. CISO calls it, the highest ROI security control we've ever deployed. No more 2 a.m. pager alerts for exposed credentials. The bullet points on this slide are really less than one's spine. They form a progression. Configure copilot, detect SQL injection, detect cross-site scripting, build custom scanners for logic flaws unique to your organization. Secure behavior starts with environment configuration. We'll wire GitHub Advanced Security, CodeQL Static Analysis, SEMGREP rules, workspace settings, and repo templates so CoPilot suggestions lean towards safe patterns rather than whatever compiles. SQL injection is still one of the most destructive vulnerabilities in production systems. CoPilot can flag string-built SQL the moment you type it and propose a safe, parameterized rewrite. We'll learn how to prompt Copilot to explain why the original code is vulnerable, not just rewrite it. Cross-site scripting, or XSS, hides in the UI layer. Copilot can track untrusted data from server template DUM and highlight dangerous rendering paths. You'll see how Copilot helps you enforce sanitization and encoding practices that modern frameworks depend on. Every company has rules no off-the-shelf static analysis tool understands. With Copilot, you can encode those rules into reusable prompts that act like internal scanners. That's where Copilot stops being autocomplete and becomes a security workflow engine. For instance, Contoso Health uses Copilot to enforce billing workflow boundaries, something no traditional static analyzer ever recognized. They simply taught GitHub Copilot their domain rules and saved them as reusable security prompts in the repo. Before we jump into SQL injection and XSS, we need to establish how to talk to GitHub Copilot so it behaves like a security partner. Copilot's value isn't in rewriting code, it's in helping you understand why something is risky and how a vulnerability actually works. If you only ask Copilot to fix something, you're skipping the teaching moment. Instead, prompt Copilot to explain why a given pattern is insecure, how an attacker might exploit it, and what impact it could have. This builds the mental model you'll use in later lessons. Copilot is strongest when it has context. Ask it to examine the entire file, not just a snippet or selection, so it can see how untrusted input flows through business logic. This mirrors what security engineers do manually during a code review. Copilot performs better if you explicitly ask for multi-step reasoning. For instance, analyze this code step-by-step and identify any trust boundary violations, unsafe input handling, or output encoding gaps. This produces more precise, reliable findings. Every org has its own recurring risks. When you find a prompt that consistently identifies a pattern – SQL concatenation, unsafe DOM injection, missing validation – save it in a shared copilot prompts file. This turns copilot into a repeatable security workflow. Copilot can only help you detect vulnerabilities if you understand the trust boundaries in application. Everything in this lesson, SQL injection, cross-site scripting, and custom scanners, depends on being able to spot where untrusted input flows into sensitive logic. The trust boundary is the moment data crosses from an external actor, user, API client, browser, device, into your application. Teach Copilot to locate these entry points so its security reasoning starts on solid ground. User input often passes through routing, controllers, services, and data layers. Vulnerabilities hide in these transitions. Copilot excels when you ask it to analyze the entire file or call chain to see where unvalidated data moves through the system. Every trust boundary should trigger either validation, checking type, shape, length, or sanitization, removing dangerous characters. This principle powers SQL injection prevention, XSS mitigation, and API hardening. Ask CoPilot, show me the trust boundaries in this file. Identify where untrusted input flows into SQL, HTML templates, or sensitive business logic. This turns CoPilot into a step-by-step threat modeling assistant. For instance, at Talwind Traders, every new API endpoint must include a CoPilot-assisted trust boundary audit. Developers run a prompt that diagrams where input enters the system, how it moves through business logic, and where validation occurs. This reduces both SQL injection and cross-site scripting vulnerabilities before code ever reaches a pull request reviewer. Before we configure anything, we center on the why. Modern breaches are overwhelmingly caused by a failure to catch basic patterns early. Copilot's a tool to shift security left, into the editor, into each pull request, and into the daily habits of developers. The OWASP, Open Web Application Security Project, top 10 remains the industry's benchmark for high impact vulnerabilities. SQLI and XSS still show up globally because unsafe patterns keep making it into production. Copilot helps us break that cycle. Now this number that you see here isn't hype. SQLI is still responsible for catastrophic data loss. customer PII, personally identifiable information, financial data, health information, a single vulnerable query can compromise an entire table. Every stage later in the pipeline multiplies cost. Copilot helps catch vulnerabilities at the cheapest possible point, at the developer's keyboard. Now this adoption gap is your advantage. By learning how to configure Copilot securely, you become the person who finally bridges this gap inside your organization. For instance, Contoso Retail integrated Copilot into their pre-merge security checklist. They saw a sharp decline in SQLi findings and review cycle time dropped because reviewers didn't waste energy on obvious errors. This slide explains why Copilot belongs in a larger security ecosystem. Enterprise Cloud, or GHEC, and GitHub Advanced Security, or GHAS, gives Copilot the structural data it needs to make accurate assessments. GitHub Enterprise Cloud ensures that authentication, authorization, and identity boundaries are strong. SAML enables enterprise single sign-on. Audit logs give you traceability, which is critical when Copilot is part of your software development lifecycle. GHAS creates the sensor network that Copilot can read. Secret scanning catches leaked tokens. Dependency scanning identifies vulnerable libraries. CodeQL provides deep semantic static analysis. Because Copilot can see GHAS alerts, it doesn't just say this is wrong. It can propose a secure alternative aligned to your framework and language. Understanding this flow from your IDE to the GitHub API to the CoPilot backend and then resulting in AI-assisted security suggestions can help you answer questions from compliance teams about what leaves your environment and what stays inside GitHub. This is where we stop thinking conceptually and start shaping CoPilot's behavior. Configuration is the foundation. Without it, CoPilot will act purely as autocomplete, which is not what we want. Installing the appropriate tools creates the signals CoPilot reacts to. Without active scanning, Copilot is blind to real vulnerabilities. By version controlling those settings, you shift security expectations into the repo itself. Every clone inherits the same behavior. Pre-commit hooks catch easy mistakes, secrets, unsafe patterns, formatting, before code even reaches Copilot or GHAZ. And then, our smoke test. If Copilot sees your vulnerability, your environment is correctly configured. For example, Contoso Health distributes a hardened dev container with Copilot already configured alongside CodeQL and some grep rules. Onboarding becomes secure by default. We want reproducibility. Security collapses when environments drift. Treating configuration as code ensures predictability and strong defaults. Committing your settings JSON to the repository anchors your security posture in Git version control so it evolves through pull requests rather than slack messages or wiki pages. Pre-commit hooks. Place the scripts in the repo and bootstrap them so every engineer runs identical checks. Environment consistency. New hires inherit the same secure baseline instantly. No more multi-page onboarding docs. Enforcement. Here, defaults win. If developers don't have to remember security steps, the failure rate drops. ProTip, Telwin Traders publishes a company-wide secure repo template that includes settings, hooks, CodeQL configs, and a copilot prompt library.